ICO issues first NHS data protection fine

By Graeme Burton
02 May 2012 View Comments
Information Commissioner's Office logo

Just a week after Computing questioned the willingness of the Information Commissioner's Office (ICO) to levy fines against negligent organisations in the NHS, the ICO has imposed a £70,000 fine against the Aneurin Bevan Local Health Board in Pontypool, South Wales.

The fine was levied following a number of errors that resulted in a report containing sensitive, personal information being sent to the wrong patient. Following an on-site investigation, the ICO concluded that both the consultant and the secretary involved had not received the appropriate training on data protection.

Further reading

It also found that similar poor practice was rife throughout the Trust and that it had failed to put in place the appropriate processes to make sure that personal information was sent to the right people.

As part of the settlement with the ICO, the Trust has committed to improving training for staff in protecting patients' personal data, as well as introducing processes in a bid to prevent a re-occurrence.

Although it is the first fine to be levied against an NHS organisation, Brighton and Sussex University Hospitals NHS Trust is facing a heftier fine of £375,000 after a batch of hard-disk drives that were supposed to have been destroyed by a contactor were, instead, sold on auction website eBay.

That incident occurred in September 2010, but the Trust is contesting the fine.

• A full interview with the ICO will appear in the next print issue of Computing.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

27 %
37 %
18 %
18 %